# idaas-federation Part of **IDAAS** > 💡 **Path Selection**: This skill is one implementation path for [Integrate SSO for an application](../../intent/idaas-integrate-application/SKILL.md). If you're unsure which path to take, check the routing skill first. # IDaaS Federation and Single Sign-On Console Guide ## Operations Overview | Operation | Console Navigation Path | Prerequisites | Description | |----------|------------------------|---------------|-------------| | Manage Federation Trust Sources | Console > Identity & Access Management > Federation Trust Sources > Manage Trust Sources | An identity provider (IdP) configured and ready to establish trust; Administrative permissions for managing federation trust sources | Create, update, or delete trust relationships between IDaaS and external identity providers using SAML or OIDC protocols. | | Bind ADFS as a SAML Identity Provider | Console > Identity Source > Inbound > Add Inbound > SAML Identity Provider | A Windows Server instance with Active Directory Domain Services (AD DS) installed and configured; Domain administrator access to the AD FS server; A wildcard TLS certificate for the AD FS service domain | Configure Microsoft Active Directory Federation Services (ADFS) as a SAML 2.0 identity provider for IDaaS SSO. | | Bind Google Workspace as a SAML Identity Provider | Console > Identity & Access Management > Identity Source > Inbound > Add Inbound | Super administrator access to Google Workspace; Ability to log on to the Google Admin Console | Set up Google Workspace as a SAML identity provider to enable enterprise users to sign in to IDaaS via SSO. | | Use an AD or OpenLDAP Account to Log On to a Third-Party Application | Console > IDaaS > Applications > Add Application | An Alibaba Cloud account; An AD domain or OpenLDAP server reachable from IDaaS; Network connectivity between IDaaS and your directory server | Enable delegated authentication so users can log in to third-party applications using existing AD or OpenLDAP credentials. | | Configure Salesforce SSO in IDaaS | Console > Application > Marketplace > Search for Salesforce | An active IDaaS instance with administrator access; A Salesforce account with administrator access | Set up SAML-based SSO between IDaaS and Salesforce to allow seamless login without separate credentials. | | Multi-address Access | Console > IDaaS > Applications > Application Settings > Advanced Configuration | SAML application must use standard protocols; Template applications must be converted to standard applications before configuration; Default Redirect URL must be set before configuring Optional Redirect URLs | Configure multiple post-login redirect URLs for SSO applications based on user roles or groups. | | Configure SSO for Custom Apps | Console > IDaaS > Applications > Configure SSO | An existing IDaaS tenant with administrative access; A self-developed application that supports OIDC; Network access to IDaaS endpoints from the application server | Set up OpenID Connect (OIDC)-based SSO for custom-developed applications, including redirect URIs, scopes, and token settings. | ## Operation Steps ### Manage Federation Trust Sources **Navigation**: Console > Identity & Access Management > Federation Trust Sources > Manage Trust Sources **Prerequisites**: - An identity provider (IdP) configured and ready to establish trust - Administrative permissions for managing federation trust sources 1. Click on **Manage Trust Sources** from the left navigation panel - Element: **Manage Trust Sources** (link) — left navigation panel - Notes: Ensure you are in the correct tenant context. 2. Click the **Create Trust Source** button in the top-right corner - Element: **Create Trust Source** (button) — top-right corner - Notes: The button is only visible if the user has the required permissions. 3. Select the federation protocol (**SAML** or **OIDC**) from the dropdown - Element: **Protocol** (dropdown) — main content area - Notes: The available options depend on the selected IdP type. 4. Enter the metadata URL or upload the IdP metadata file - Element: **Metadata URL / Upload File** (text_input) — main content area - Notes: For SAML, this field is mandatory. For OIDC, it may be optional depending on configuration. 5. Review the trust settings and click **Confirm** to create the trust source - Element: **Confirm** (button) — bottom of form - Notes: A confirmation dialog will appear before final creation. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Trust Source Name | text | Yes | — | A unique name for the trust source to identify it in the console. | | Protocol | dropdown | Yes | SAML, OIDC | The protocol used to establish the trust relationship with the identity provider. | | Metadata URL | text | No | — | The URL where the identity provider's metadata can be retrieved. | | Upload Metadata File | text_input | No | — | Upload a local metadata file (XML for SAML, JSON for OIDC). | | Description | text | No | — | Optional description to provide context about the trust source. | ### Bind ADFS as a SAML Identity Provider **Navigation**: Console > Identity Source > Inbound > Add Inbound > SAML Identity Provider **Prerequisites**: - A Windows Server instance with Active Directory Domain Services (AD DS) installed and configured - Domain administrator access to the AD FS server - A wildcard TLS certificate for the AD FS service domain 1. Log on to the IDaaS console and navigate to **Identity Source** > **Inbound** - Element: **Identity Source** (menu) — left-side navigation panel 2. Click **Add Inbound** and select **SAML Identity Provider** - Element: **Add Inbound** (button) — main content area 3. Enter a display name for the SAML identity provider, such as 'ADFS' - Element: **Display Name** (text_input) — form fields in dialog 4. Upload the `federationmetadata.xml` file retrieved from AD FS and click **Parse** - Element: **Parse** (button) — form fields in dialog - Notes: IDaaS automatically extracts IdP SSO URL, IdP entity ID, and signing certificate. 5. Configure login scenarios: **Manual Account Binding**, **Automatic Account Binding**, **Automatic User Creation**, **Assign Account to Organization**, **Automatic Information Update** - Element: **Manual Account Binding** (checkbox) — login scenarios section - Notes: Select options based on business requirements. 6. Click **Next** to configure field mapping if automatic information update is enabled - Element: **Next** (button) — bottom of form 7. Click **Confirm** to complete the SAML IdP creation - Element: **Confirm** (button) — bottom of form 8. After creation, click **Configuration Info** on the SAML IdP card and download the SP metadata XML file - Element: **Configuration Info** (link) — SAML IdP card 9. In AD FS Management console, right-click **Relying Party Trusts** and select **Add Relying Party Trust** - Element: **Add Relying Party Trust** (menu) — left navigation panel 10. In the wizard, select **Import data about the relying party from a file** and upload the SP metadata XML file - Element: **Import data about the relying party from a file** (radio) — first step of wizard 11. On the Ready to Add Trust page, select **Open the Edit Claim Rules dialog before closing the wizard** - Element: **Open the Edit Claim Rules dialog** (checkbox) — Ready to Add Trust page 12. In the Edit Claim Rules dialog, click **Add Rule** and select **Send LDAP Attributes as Claims** - Element: **Add Rule** (button) — Edit Claim Rules dialog 13. Configure the NameID claim rule to map **User-Principal-Name** to **Name ID** - Element: **Claim rule name** (text_input) — claim rule configuration table - Notes: Set attribute store to Active Directory, LDAP attribute to User-Principal-Name, outgoing claim type to Name ID. 14. Repeat for Email and Display Name claim rules using **E-Mail-Addresses** and **Display-Name** attributes respectively - Element: **Add Rule** (button) — Edit Claim Rules dialog - Notes: Ensure outgoing claim types are set to E-Mail Address and Display Name. 15. In IDaaS console, open ADFS IdP configuration and click **Modify Field Mapping** - Element: **Modify Field Mapping** (button) — ADFS IdP configuration page 16. For Display Name and Email fields, click **Add** and set mapping type to **Expression** - Element: **Add** (button) — field mapping section 17. Enter `idpUser.attributes.displayName.value` and `idpUser.attributes.email.value` as expression values - Element: **Expression** (text_input) — field mapping input 18. Click **Confirm** to save the field mapping - Element: **Confirm** (button) — bottom of form | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Display Name | text | Yes | — | Enter a name for the SAML identity provider, such as 'ADFS' | | Login Configuration | file_upload | Yes | — | Upload the federationmetadata.xml file retrieved from AD FS | | Manual Account Binding | checkbox | No | — | When enabled, users can manually bind to an existing account if no binding exists | | Automatic Account Binding | checkbox | No | — | When enabled, IDaaS automatically binds the SAML user to an IDaaS account if mapped field values match | | Automatic User Creation | checkbox | No | — | When enabled, IDaaS automatically creates a new account for unrecognized SAML users | | Assign Account to Organization | checkbox | No | — | Unassigned IDaaS accounts are automatically placed in the specified organization | | Automatic Information Update | checkbox | No | — | Account information is updated from SAML attributes on each sign-in based on field mapping | ### Bind Google Workspace as a SAML Identity Provider **Navigation**: Console > Identity & Access Management > Identity Source > Inbound > Add Inbound **Prerequisites**: - Super administrator access to Google Workspace - Ability to log on to the Google Admin Console 1. Go to **Identity Source** > **Inbound** in the IDaaS EIAM console and click **Add Inbound** to create a SAML identity provider - Element: **Add Inbound** (button) — main content area 2. Enter a display name for the SAML identity provider - Element: **Display Name** (text_input) — form fields 3. Paste the Google IdP Metadata URL into the **Metadata URL** field and click **Parse** to automatically fill in the IdP SSO URL, IdP entity ID, and signing certificate - Element: **Parse** (button) — form fields 4. Click **Next** to go to the scenario selection page and choose **Manual Binding** for initial setup - Element: **Next** (button) — bottom of form 5. Click **OK** to complete the SAML identity provider creation - Element: **OK** (button) — bottom of form 6. In the Google Admin Console, go to **Apps** > **Web and mobile apps** > **Add app** > **Add custom SAML app** - Element: **Add custom SAML app** (link) — Apps section 7. Enter an application name and click **Continue** - Element: **Continue** (button) — top-right corner 8. Save the IdP metadata by downloading the XML file or copying the Metadata URL - Element: **Option 1 (Download XML) or Option 2 (Copy Metadata URL)** (radio) — IdP details page - Notes: Recommended: use Metadata URL for automatic parsing. 9. Return to the Google Admin Console, open the created SAML application, and go to **Service Provider Details** - Element: **Service Provider Details** (tab) — application settings 10. Enter the SP Entity ID from IDaaS into the **Entity ID** field and the ACS URL into the **ACS URL** field - Element: **Entity ID** (text_input) — Service Provider Details 11. Click **Continue** to complete the SAML application configuration - Element: **Continue** (button) — bottom of form 12. Go to **User access** and enable the application for specific users, groups, or organizational units - Element: **User access** (tab) — application settings | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Display Name | text | Yes | — | Identifies this login method on the sign-in page. | | Metadata URL | text | Yes | — | The URL to the Google IdP Metadata XML file. | | Scenario | dropdown | Yes | Manual Binding, Automatic Binding, Auto Creation | Determines how user accounts are linked between Google Workspace and IDaaS. | | Application Name | text | Yes | — | A name for the SAML application in Google Workspace. | | Entity ID | text | Yes | — | The SP Entity ID obtained from the IDaaS SAML identity provider details page. | | ACS URL | text | Yes | — | The Assertion Consumer Service URL obtained from the IDaaS SAML identity provider details page. | ### Use an AD or OpenLDAP Account to Log On to a Third-Party Application **Navigation**: Console > IDaaS > Applications > Add Application **Prerequisites**: - An Alibaba Cloud account - An AD domain or OpenLDAP server reachable from IDaaS - Network connectivity between IDaaS and your directory server 1. Click the **Sign-In** button in the IDaaS console - Element: **Sign-In** (button) — top-right corner 2. Enable **Delegated Authentication** for AD - Element: **Delegated Authentication** (checkbox) — configuration panel 3. Set **Primary Authentication Method** to **AD account** (optional) - Element: **Primary Authentication Method** (dropdown) — authentication settings - Notes: Available options include 'AD account' and 'IDaaS account'. 4. Go to the RAM user log-on page and click **Next** - Element: **Next** (button) — log-on form 5. Click **Login with Organization Account** - Element: **Login with Organization Account** (button) — login options 6. Enter AD username and password directly if AD is default, otherwise click the **AD** icon first - Element: **AD** (icon) — authentication method selector 7. Go to the **User Portal** - Element: **User Portal** (link) — main dashboard 8. Log on with AD credentials - Element: **AD** (icon) — authentication method selector 9. Click the **application icon** in the IDaaS application portal to log on to the application - Element: **application icon** (button) — application dashboard | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Authorize | dropdown | Yes | All Users, Manually | Controls which users can access the application. 'All Users' grants immediate access to all synchronized accounts; 'Manually' requires explicit permission assignment. | ### Configure Salesforce SSO in IDaaS **Navigation**: Console > Application > Marketplace > Search for Salesforce **Prerequisites**: - An active IDaaS instance with administrator access - A Salesforce account with administrator access 1. Go to **Application** > **Marketplace** and search for Salesforce - Element: **Application** (menu) — left navigation panel 2. Select the Salesforce application template and complete the **Add Application** process - Element: **Add Application** (button) — main content area 3. Click **Download CER Certificate File** to save the certificate - Element: **Download CER Certificate File** (button) — bottom of SSO configuration page 4. Log on to the Salesforce management platform in a new browser tab - Notes: If the page fails to load or does not respond, try a different browser. Some browsers block cross-domain cookies. You can also switch to Salesforce Classic as prompted. 5. Click the **Settings** icon in the upper-right corner, then select **Setup** - Element: **Settings** (icon) — upper-right corner 6. Go to **Settings** > **Identity** > **Single Sign-On Settings** - Element: **Single Sign-On Settings** (menu) — left navigation panel 7. On the SAML Single Sign-On Settings page, click **New** - Element: **New** (button) — top of page 8. Fill in the required fields using values from IDaaS, including **Issuer**, **Entity ID**, **Identity Provider Certificate**, and **Identity Provider Login URL** - Notes: The values in both systems must match. Upload the CER certificate file you downloaded from IDaaS. 9. Click **Save** and copy the sign-in URL from the configuration details page - Element: **Save** (button) — top of page - Notes: SSO is disabled in Salesforce by default after saving. Complete the next step to enable it. 10. Go back to the SSO configuration page in Salesforce, click **Edit**, select **Enable SAML SSO**, and save - Element: **Edit** (button) — top of page 11. Return to the IDaaS console and enter the sign-in URL copied from Salesforce - Location: SSO configuration page for Salesforce application 12. Click **Save** to complete the configuration - Element: **Save** (button) — bottom of form 13. Log on to the IDaaS portal and click the **Salesforce icon** to test SSO - Element: **Salesforce icon** (button) — portal page - Notes: IDaaS initiates SSO and logs you in to Salesforce automatically. If the login succeeds, the configuration is complete. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Name | text | No | — | The name of the SAML SSO configuration in Salesforce | | API Name | text | No | — | The API name for the SAML SSO configuration in Salesforce | | Issuer | text | Yes | — | The IdP Entity ID from IDaaS. Must match the value in IDaaS | | Entity ID | text | Yes | http://saml.salesforce.com | The SP Entity ID. Must match the value in IDaaS | | Identity Provider Certificate | dropdown | Yes | — | Upload the CER certificate file downloaded from IDaaS | | Identity Provider Login URL (optional) | text | No | — | The IdP SSO URL from IDaaS. Required for SP-initiated SSO | | Enable SAML SSO | checkbox | No | Enable SAML SSO | Enables SAML SSO in Salesforce | ### Multi-address Access **Navigation**: Console > IDaaS > Applications > Application Settings > Advanced Configuration **Prerequisites**: - SAML application must use standard protocols - Template applications must be converted to standard applications before configuration - Default Redirect URL must be set before configuring Optional Redirect URLs 1. Navigate to the SAML application settings - Element: **Advanced Configuration** (menu) — left navigation panel 2. Set the **Default Redirect URL** - Element: **Default Redirect URL** (text_input) — main content area - Notes: This field is optional. If left blank, users are redirected to the application's built-in default URL. 3. Configure **Optional Redirect URLs** - Element: **Optional Redirect URLs** (text_input) — main content area - Notes: Must be configured after setting the Default Redirect URL. Each entry includes a display name and target URL. 4. Click **Save** to complete the configuration - Element: **Save** (button) — bottom of form - Notes: Changes take effect immediately. No need to update IdP metadata on the application side. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Default Redirect URL | text | No | — | The URL users land on after clicking the application card in the application portal and completing SSO. If left blank, users are redirected to the application's built-in default URL. | | Optional Redirect URLs | text | No | — | Additional redirect destinations shown as separate entries on the application card. Each entry has a display name visible in the application portal. Users are sent to the corresponding URL after SSO. Requires Default Redirect URL to be set first. | ### Configure SSO for Custom Apps **Navigation**: Console > IDaaS > Applications > Configure SSO **Prerequisites**: - An existing IDaaS tenant with administrative access - A self-developed application that supports OIDC - Network access to IDaaS endpoints from the application server 1. Navigate to the **Applications** section in the IDaaS console - Element: **Applications** (menu) — left navigation panel 2. Click on the application you want to configure for SSO - Element: **Application name** (link) — main content area 3. Go to the **SSO Configuration** tab - Element: **SSO Configuration** (tab) — top navigation of the application details page 4. Enter the **Logon Redirect URI** in the field - Element: **Logon Redirect URI** (text_input) — basic configuration section - Notes: Add one URI per line. Must match the callback URL in your application. 5. Select the desired **Authorization scope** - Element: **Authorization scope** (dropdown) — basic configuration section - Notes: Options include 'All Users', 'Specific Groups', etc. 6. Optional: Configure advanced settings such as **User information scopes** and token expiration times - Element: **Advanced Configuration** (button) — bottom of the basic config section - Notes: Use this to customize claims, token lifetimes, and refresh behavior. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Logon Redirect URI | text | Yes | — | Whitelist of redirect URIs. After authentication, IDaaS redirects users to this URI with an authorization code. | | Authorization scope | dropdown | Yes | All Users, Specific Groups, Custom Group | The set of users who can access this application via SSO. | | User information scopes | checkbox | No | openid, email, phone, profile | The user identity claims returned by the UserInfo endpoint. | | Access token expiration | number_input | No | — | How long an access token is valid. Minimum: 5 minutes, Maximum: 24 hours. | | ID token expiration | number_input | No | — | How long an ID token is valid. After expiration, use a refresh token or re-authenticate. | | Refresh token expiration | number_input | No | — | How long a refresh token is valid. After expiration, user must sign in again. | | Extended ID token fields | text | No | — | Additional non-sensitive user information to include in the ID token payload. | | SSO initiator | radio | No | Application-initiated only, Support portal-initiated and application-initiated | Controls who can start the SSO flow. | | Logon initiation address | text | No | — | The application URL that IDaaS calls when initiating a portal-initiated SSO request. | | ID token signature algorithm | dropdown | Yes | RSA-SHA256 | The algorithm used to sign the ID token. Only RSA-SHA256 is supported. | | Logoff callback address | text | No | — | Whitelist of URLs to redirect users to after they sign out of IDaaS. | ## FAQ Q: Where do I find the SP metadata after creating a SAML identity provider? A: After creating the SAML IdP in IDaaS, go to the IdP card and click **Configuration Info** to view or download the SP metadata XML file. Q: What happens if I leave the Default Redirect URL blank in Multi-address Access? A: If left blank, users are redirected to the application's built-in default URL after SSO. Optional Redirect URLs cannot be configured unless a Default Redirect URL is set first. Q: Can I modify field mappings after creating an ADFS identity provider? A: Yes. Go to the ADFS IdP configuration page in IDaaS and click **Modify Field Mapping** to update attribute expressions. Q: What permissions do I need to manage federation trust sources? A: You need administrative permissions specifically for managing federation trust sources in the IDaaS console. Q: Is it possible to use both SAML and OIDC for the same application? A: No. Each trust source or application SSO configuration uses one protocol at a time. You must create separate configurations for SAML and OIDC if both are needed. ## Pricing & Billing ### Billing Model All federation and SSO configuration features described in this guide are included in the core IDaaS service at no additional cost. ### Free Tier - Up to 100 federation trust sources are free per account monthly. - All SSO integrations (ADFS, Google Workspace, Salesforce, custom apps) are free within standard usage limits. - Up to 100 concurrent SSO sessions per application for custom OIDC apps. ### Quota Limits - Maximum 100 trust sources per account. - No explicit usage limits for SAML/OIDC identity provider bindings. - Concurrent SSO session limit of 100 per custom application. ### Billing Notes - Additional trust sources beyond the free tier are billed at $0.10 per source per month. - Billing for IDaaS is based on the overall subscription model; SSO and federation setup itself incurs no separate charges. - Advanced features like audit logs or analytics may incur costs beyond the free tier, but basic SSO functionality remains free.